Skip to main content

golang.org/x/crypto/ssh CVE-2026-46595

| EUVDEUVD-2026-31398 CRITICAL
Incorrect Authorization (CWE-863)
2026-05-22 Go GHSA-x527-x647-q7gg
10.0
CVSS 3.1 · Vendor: Go
Share

Severity by source

Vendor (Go) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
SUSE
8.1 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Red Hat
7.1 HIGH
qualitative

Primary rating from Vendor (Go).

CVSS VectorVendor: Go

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

4
Analysis Generated
May 28, 2026 - 15:09 vuln.today
CVSS changed
May 28, 2026 - 15:07 NVD
10.0 (None) 10.0 (CRITICAL)
Patch available
May 22, 2026 - 04:31 EUVD
CVE Published
May 22, 2026 - 02:31 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

AnalysisAI

Authorization bypass in the Go golang.org/x/crypto/ssh package before version 0.52.0 allows remote attackers to circumvent source-address restrictions when SSH server configurations use callback authentication types other than public key. This is an incomplete-fix follow-up to CVE-2024-45337, which only addressed the public-key callback path while leaving other callback types vulnerable to the same source-address validation skip. No public exploit identified at time of analysis, EPSS is very low at 0.02%, and SSVC indicates no observed exploitation though the issue is automatable with partial technical impact.

Technical ContextAI

The golang.org/x/crypto/ssh package is the canonical Go implementation of the SSH protocol used widely by Go-based servers, bastions, and CI/CD tooling. The vulnerability is a CWE-863 incorrect authorization weakness in the server-side authentication callback handling: when an SSH server configuration registers authentication callbacks of a type other than PublicKeyCallback (for example PasswordCallback, KeyboardInteractiveCallback, or GSSAPIWithMICConfig), the source-address restriction logic - which is meant to enforce per-principal IP allowlists declared in certificates or authorized_keys options - is bypassed entirely. CVE-2024-45337 closed this gap only for public-key flows, and CVE-2026-46595 extends the same fix to the remaining callback types. The affected CPE is cpe:2.3:a:golang.org/x/crypto:golang.org/x/crypto/ssh, and the fix landed via go.dev/cl/781642 and is tracked as GO-2026-5023.

RemediationAI

Upgrade golang.org/x/crypto to version 0.52.0 or later (vendor-released patch: 0.52.0) by running go get golang.org/x/crypto@v0.52.0 and rebuilding all affected binaries, since this is a compile-time dependency rather than a runtime library. The fix commit is https://go.dev/cl/781642 and the Go vulnerability advisory is https://pkg.go.dev/vuln/GO-2026-5023; consult the golang-announce notice at https://groups.google.com/g/golang-announce/c/a082jnz-LvI for the full disclosure. If immediate upgrade is not possible, the practical workaround is to stop relying on SSH source-address restrictions as a security boundary when using password, keyboard-interactive, or GSSAPI callbacks - instead enforce IP allowlisting at the network layer via firewall rules or a reverse proxy, accepting the operational trade-off of duplicating policy outside the SSH server configuration; alternatively, restrict server configurations to PublicKeyCallback only, which prevents the bypass but breaks any deployment that requires password or interactive auth.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed
SLES15-SP6-CHOST-BYOS-GCE Fixed
SLES15-SP7-CHOST-BYOS-GCE Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed

Share

CVE-2026-46595 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy